OpenSSH public key problem with Solaris 10

Erich Weiler weiler at soe.ucsc.edu
Sat Jul 1 00:04:20 EST 2006 

Hi ya'll-

I've got this odd openssh problem with Solaris 10 I was hoping someone 
could shed some light on.  Not sure if it is a bug... Basically I'm 
trying to use pubkeys as an auth method, but am having issues.  I can 
log in using passwords no problem, but as soon as it notices a matching 
public key it closes the connection.  I ran the sshd server (on Solaris 
10 box) in debug mode and got this output when I tried to log in:

% sshd -d
debug1: sshd version OpenSSH_4.3p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/local/openssh.10/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 11
debug1: inetd sockets after dupping: 4, 4
Connection from 128.114.48.86 port 49490
debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_4.3
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user weiler service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "weiler"
debug1: PAM: setting PAM_RHOST to "banshee.cse.ucsc.edu"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for weiler from 128.114.48.86 port 49490 ssh2
Failed none for weiler from 128.114.48.86 port 49490 ssh2
debug1: userauth-request for user weiler service ssh-connection method 
publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys2
debug1: matching key found: file 
/cse/tstaff/weiler/.ssh/authorized_keys2, line 2
Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
debug1: restore_uid: 0/0
Postponed publickey for weiler from 128.114.48.86 port 49490 ssh2
debug1: userauth-request for user weiler service ssh-connection method 
publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys2
debug1: matching key found: file 
/cse/tstaff/weiler/.ssh/authorized_keys2, line 2
Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Access denied for user weiler by PAM account configuration
debug1: do_cleanup
debug1: PAM: cleanup
Failed publickey for weiler from 128.114.48.86 port 49490 ssh2
debug1: do_cleanup
debug1: PAM: cleanup
%

Again, If I move my public key out of the way and try to log in with a 
password it works fine.  Since it mentions my PAM configuration, here's 
my /etc/pam.conf file:

login auth requisite          pam_authtok_get.so.1
login auth required           pam_unix_cred.so.1
login auth sufficient         pam_unix_auth.so.1
login auth sufficient         pam_krb5.so.1
login auth sufficient         pam_ldap.so.1
#
dtsession       auth sufficient         pam_unix_auth.so.1
dtsession       auth sufficient         pam_krb5.so.1
dtsession       auth sufficient         pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite          pam_authtok_get.so.1
other auth required           pam_unix_cred.so.1
other auth sufficient         pam_unix_auth.so.1
other auth sufficient         pam_krb5.so.1
other auth sufficient         pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth sufficient         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
passwd   account sufficient        pam_unix_account.so.1
passwd   account sufficient        pam_ldap.so.1
#
other   account sufficient        pam_unix_account.so.1
other   account sufficient        pam_ldap.so.1
other   account sufficient        pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session sufficient      pam_unix_session.so.1
other   session sufficient      pam_ldap.so.1
other   session sufficient      pam_krb5.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

Would any of you guys happen to have a clue as to where I'm going wrong? 
  Thanks a million in advance!

ciao, erich

More information about the openssh-unix-dev mailing list